Download Circuit principles and weak pigeonhole variants

Circuit principles and weak pigeonhole variants
Chris Pollett
Norman Danner
214 MacQuarrie Hall,
Department of Computer Science
San Jose State University
One Washington Square, San Jose CA 95192.
Email: [email protected]
Department of Mathematics and Computer Science
Wesleyan University
Middletown, CT 06549-0128
Email: [email protected]
Abstract
This paper considers the relational versions of the surjective and multifunction weak pigeonhole principles
for PV , Σb1 and Θb2 -formulas. We show that the relational surjective pigeonhole principle for Θb2 formulas in S21 implies a circuit block-recognition principle
which in turn implies the surjective weak pigeonhole
principle for Σb1 formulas. We introduce a class of
predicates corresponding to poly-log length iterates
of polynomial-time computable predicates and show
that over R22 , the multifunction pigeonhole principle
for such predicates is equivalent to an “iterative” circuit block-recognition principle. A consequence of
this is that if R32 proves this circuit iteration principle then RSA is vulnerable to quasi-polynomial time
attacks.
Keywords: Bounded arithemtic, circuit lower bounds,
pigeonhole principle, RSA, cryptography.
1
Introduction
The weak pigeonhole principle (WPHP ) states that
given a function from a set of size n2 into a set of size
n, there are two elements in the domain that map to
the same element in the range. This principle gives
one the ability to do a limited amount of counting
with regard to the function in question. The weak
pigeonhole principle has been used in the context of
propositional proof complexity to define sequences of
true formulas which do not have short resolution or
constant depth Frege proofs (Ajtai 1994, Beame, Impagliazzo, Krajı́ček, Pitassi, Pudlák & Woods 1992).
It has also been well-studied in the context of first order logic. Here one adds the principle for some class
of relations—for instance, the p-time computable relations or the ∆0 relations—to a weak system of arithmetic and considers what new results are provable
in the strengthened system. An early result of this
type is that I ∆0 +WPHP (∆0 ) proves there are infinitely many primes (Paris, Wilkie & Woods 1988).
The pigeonhole principles in both contexts are intimately related via well known translations of first
order bounded arithmetics into sequences of propositional proofs (Paris & Wilkie 1985, Krajı́ček &
Pudlák 1990).
c
Copyright 2005,
Australian Computer Society, Inc. This paper appeared at Computing: The Australasian Theory Symposium (CATS 2005), Newcastle, Australia. Conferences in Research and Practice in Information Technology, Vol. 41. Mike
Atkinson and Frank Dehne, Ed. Reproduction for academic,
not-for profit purposes permitted provided this text is included.
Besides the traditional injective pigeonhole principle described above, many other flavors have been
considered in the literature. These include the surjective pigeonhole principle which says that there is no
surjective function from a set of size n onto a set of
size 2n, the bijective pigeonhole principle which combines the injective and surjective principles, and the
multifunction pigeonhole principle which is like the
injective principle but defined in terms of multifunctions rather than just functions. In weak theories of
arithmetic it might not be provable that these pigeonhole notions coincide.
Recently, Jeřábek (2004, §3) has shown that the
surjective pigeonhole principle for p-time functions is
connected with circuit lower bounds. He shows that
in bounded arithmetic S21 the surjective weak pigeonhole principle for p-time functions is equivalent to the
statement that for each fixed k > 0 there is a string of
length 2nk which is hard for circuits of size nk . Here
S21 is a theory which roughly has length induction for
NP predicates. Given this result it is natural to ask
whether the other forms of the pigeonhole principle
can be connected to circuit principles. Jeřábek’s result was for the pigeonhole principle expressed using
p-time functions so it is further natural to try to extend his results to the case where the surjection is
expressed as the graph of a function rather than by
a function symbol, thereby allowing consideration of
functions more complex than p-time.
Razborov (1995, App. C) has argued that Shannon’s counting argument cannot obviously be formalized in S21 . As a consequence, S21 cannot, at least in a
direct way, formalize Kannan’s result (Kannan 1982)
that there is a set in NEXPNP that is not in P/poly.
To a large degree, these statements are consequences
of Parikh’s Theorem which shows that S21 cannot define functions of super-polynomial growth. Nevertheless, it is open whether S21 can prove a “weak Kannan result”—the existence of sets Ak which require
circuits of size greater than nk for each fixed k. It
is also still open whether, if for one fixed set A defined by a bounded arithmetic formula, S21 can prove
the sequence of statements: “A requires circuits of
size greater than nk ”, for each fixed k > 0. A positive answer to this latter question would imply S21
could prove P 6= NP, and so, of course, P 6= NP would
hold in the real world. Jeřábek’s result to some extent gives an upper bound on the theory required to
prove a weak Kannan result, for once we know a hard
string exists, if we can obtain a least such string, we
can construct a fixed set which is hard for size-nk circuits. This kind of argument can be carried out in the
theory S23 , where S2i is defined roughly as the theory
with length induction for the ith level of polynomial
hierarchy. This is because S23 can do the necessary
minimization and Paris et al. (1988) have shown that
S23 proves the weak pigeonhole principle for p-time
functions (see (Krajı́ček 1995) for an exposition). It is
interesting to ask whether one can make any progress
on showing a matching lower bound on the theory
required.
The intent of this paper is to show that to some extent all of the questions posed above can be answered.
For the remainder of this introduction, n = |x| for
some x. Let sWPHP (Ψ) (resp. mWPHP (Ψ)) denote
the surjective (resp. multifunction) weak pigeonhole
principle for the relations in Ψ. We show that over S21 ,
sWPHP (Θb2 ) implies there is a string S of length 2nk
that is not block-recognized by any circuit (code) of
size nk . That is, there is no such circuit such that for
b < 2nk−1 and s < 2n , C(b, s) outputs 1 if and only if
s is the b-th length-n block of S. Here Θb2 (sometimes
called Σb0 (Σb1 ) in the literature) is a class of formulas that precisely defines the sets in P NP (log), sets
computable in polynomial time using at most logarithmically many oracle queries to an NP set. On the
other hand, it is also shown that the existence of such
a hard string for each k implies sWPHP (Σb1 ). Here
the Σb1 -formulas correspond to the NP-sets. The reason for the slight gap is that specifying the uniqueness
of the block that is recognized slightly bumps up the
complexity of the pigeonhole principle needed to show
the circuit result, but it is not clear how to harness
this added complexity in the reverse direction. For
this direction, we adapt the proof of Jeřábek’s result
to amplify a surjection f : 2n → 22n to a surjection
k
from 2n onto 22n by a circuit that iterates f , but
only “remembers” n bits of each computation.
For
the
multifunction
case,
let
ITER(PV , {||id||O(1) }) denote the class of relations which can be computed as poly-log length
iterations of a polynomial relation. The precise
statement of this requires that when x is in such a
set that is defined using a p-time relation, R, the
sequence of computation values R(x, y1 ), R(y1 , y2 ),
. . ., R(yt−1 , yt ) where t is O(log |x|), is uniquely
defined. Note that just because we can recognize
that R(x, y1 ) holds in p-time does not imply that
there is a p-time function which computes y1 from x,
even if y1 is polynomially bounded. This iteration
principle is similar to one considered by Krajı́ček in
the context of the propositional proof complexity of
the surjective pigeonhole principle (Krajı́ček 2004).
ITER(PV , {||id||O(1) }) contains PV and like Θb2 is
contained in the class Σb2 . We show that over R22 ,
mWPHP (ITER(PV , {||id||O(1) })) is equivalent to the
k
existence of a string S < 22n that is not iteratively
block-recognized by any circuit of size nk . Hence,
this principle over R22 also implies mWPHP (PV ).
The last statement can be used to say something either about the likelihood of proving circuit
lower bounds in weaker theories or about the security of RSA against various kind of attacks attacks.
Krajı́ček and Pudlák (1998) (see also (Thapen 2002,
Lemma 3.15)) have shown that if there is an algorithm
witnessing the injective weak pigeonhole principle for
p-time functions (this is contained in iWPHP (PV )
which allows p-time relations) from a class C satisfying PC = C, then RSA is vulnerable to attacks
from C. Extending R2i by a quasi-polynomial growth
rate function, #3 , gives the theories R3i . We apply
Krajı́ček and Pudlák’s result to conclude that if R32
proves our circuit principle then RSA is vulnerable to
quasi-polynomial time attacks. As R32 contains the
theories R22 and S21 the same result holds for them if
they can prove our circuit principle. One can somewhat strengthen the theory R32 and still obtain results which we believe are open. For example, if
R33 proves our circuit principle, then RSA is vulnerable to attacks computed in the polynomial closure
of quasi-polynomial local search. All of these result
rely on the fact that mPHP (PV ) implies iPHP (PV ).
It is unknown over S21 whether sPHP (PV ) implies
iPHP (PV ), which is why an analogous result does
not follow immediately from Jeřábek’s result. As far
as the authors know, it is open whether RSA is vulnerable to quasi-polynomial local search attacks; the
main problem with breaking RSA using such an algorithm would be to find a neighborhood function which
could indicate when one was getting closer to the message text. We make the observation here though that
Hanika (2004) extending work of Ferreira (1995) has
defined a generalized search class GLS † which captures the Σb1 -definable multifunctions of S23 . Given
that S23 proves mPHP (PV ), and so also iPHP (PV ),
it follows from Krajı́ček and Pudlák that RSA is vulnerable to attacks from the polynomial closure of
GLS † . It also probably follows that there is some
generalization of our circuit iteration principle corresponding to these search classes for which S23 can
prove lower bounds. Therefore, showing RSA is vulnerable to a quasi-polynomial local search based attack or showing lower bounds for our iteration principle in R33 might not be much beyond current technology.
The format of the rest of this paper is as follows:
In the next section the notations and theories to be
discussed in the remainder of the paper will be introduced. In the third section, results concerning the
weak pigeonhole principle are reviewed. The next two
sections prove the results for the surjective and then
the multifunction pigeonhole principle. Finally, the
last section has the RSA results.
2
Preliminaries
This paper assumes familiarity with Buss (1986)
or Krajı́ček (1995). For completeness, the basic notations of bounded arithmetic are quickly reviewed.
The specific bootstrapping we are following is from
Pollett (1999), but yield equivalent theories to the
ones in the books just mentioned. The language
L2 contains the non-logical symbols: 0, S, +, ·, =,
.
≤, −,
b 21 xc, |x|, MSP(x, i) and #. The symbols 0,
S(x) = x + 1, +, ·, and ≤ have the usual meaning.
.
The intended meaning of x −
y is x minus y if this
is greater than zero and zero otherwise, b 12 xc is x divided by 2 rounded down, and |x| is dlog2 (x + 1)e,
that is, the length of x in binary notation. MSP(x, i)
stands for ‘most significant part’ and is intended to
mean bx/2i c. Finally, x#y reads ‘x smash y’ and is
intended to mean 2|x||y| .
Natural hierarchies of prenex formulas can be defined in this language by counting alternations of
bounded quantifiers. A formula consisting of i + 1
alternations of bounded quantifiers, the outermost of
the form ∃x ≤ t (∀x ≤ t, respectively), followed by a
matrix of sharply-bounded formulas, is a Σbi -formula
(Πbi -formula, respectively). Here sharply bounded
means bounded by a term of the form |t|. The definition of Σbi presented above is sometimes called
strictΣbi or Σˆbi in the literature. For the theories of
this paper it is a provably equivalent class to what is
usually considered elsewhere such as in Buss (1986).
The theory BASIC is axiomatized by all substitution instances of a finite set of quantifier-free axioms
for the non-logical symbols of L2 . The theories considered in this paper are obtained from BASIC by
adding various forms of the induction scheme
Θb2 is sometimes called in the literature Σb0 (Σb1 ) or
Σb2 ∩ Πb2 . Its sets corresponds to the complexity class
Θp2 := PNP (log) (Buss & Hay 1991).
A(0) ∧ (∀x)(A(x) ⊃ A(Sx)) ⊃ (∀x)A(t(x)).
∃x ≤ tA(x) ∧ ∀x, x0 ≤ t((A(x) ∧ A(x0 )) ⊃ x = x0 ).
C-IND, -LIND (length induction), and -LLIND
(length-length induction) are obtained by taking A ∈
C and t(x) to be x, |x|, and ||x||, respectively.
.
The term Bit(i, w) := MSP(w, i) −
2 ·
bMSP(w, i)/2c is the i-th bit of w. The axiom scheme
of Comprehension for A ∈ C (C-COMP ) is
We assume that the reader is familiar with
the usual definition of a circuit. The predicate
Circuit(C, n) is true if C codes a circuit on n variables and Output(C, i) is the PV -function computing the output of C on input i, where i represents
a number in binary (assume some default value if
∀n¬Circuit(C, n) or Circuit(C, n) but i ≥ 2n ). These
are straightforward to formulate in S21 using the sequence coding available there and have appeared before in the literature (Buss 1997).
(∃w ≤ 2|a| )(∀i ≤ |a|)(A(i, a) ⇔ Bit(i, w) = 1).
Sequences can be defined as ordered pairs in which
the first component specifies a block size and the second a concatenation of blocks. Then SqBd (a, b) :=
2(2a#2b) is a bound on the value of any sequence
of length |b| + 1, each of whose components is < a,
and β(b, w) is defined to be the b-th element of the sequence w. β(b, w) can be defined as a term in our language, and the basic properties of SqBd and β(b, w)
can be proved using open length induction. With
these terms in hand, we can state the axiom scheme
of Replacement for A ∈ C (C-REPL):
Definition 2 By ∃!x ≤ tA(x) we mean the usual abbreviation
3
Pigeonhole principles
In this paper, the following variants of the weak pigeonhole principle will be considered:
iPHP (R)m
z ):
n (~
n < m ∧ ∀x < n∃!y < nR(x, y, ~z) ⊃
∃x1 , x2 < m∃y < n
x1 6= x2 ∧ R(x1 , y, ~z) ∧ R(x2 , y, ~z)
∀x ≤ |a| ∃y ≤ bA(x, y) ⊃
∃w ≤ SqBd (b + 1, a)∀i ≤ |a|
β(i, w) ≤ b ∧ A(x, β(i, w)) .
The theories R2i , S2i and T2i are obtained from
BASIC by adding respectively the Σbi -REPL+Σbi LLIND, Σbi -LIND, or Σbi -IND axiom schema. The
definition of R2i has Σbi -REPL added because we are
working with prenex versions of Σbi (Pollett 1999).
It is known that S2i+1 ⊇ T2i ⊇ S2i ⊇ R2i ⊇ S2i−1 ,
if R2i+1 ⊇ T2i then the polynomial hierarchy collapses (Krajı́ček, Pudlák & Takeuti 1991, Pollett
1999), and that R2i (hence S2i ) proves Σbi -COMP .
Buss (1986, §3) shows that if one adds new function symbols to S21 for each polynomial-time function,
together with axioms saying how the functions are recursively defined, one obtains a theory called S21 (PV )
which is conservative over S21 . For convenience, in this
paper it will be assumed that these functions symbols
are available in the language. We will use the notation FP to denote the defining equational axioms for
these function symbols, and PV to denote the relations definable as open formulas involving these functions symbols. Among such functions, we will use the
following “bit-extraction” functions frequently:
1. LSP(w, i) is the |w| − i least significant bits of w,
and w[a..b] = LSP(MSP(w, a), |w| − b) consists
of bits a through b inclusive of w.
2. β̂(b, n, w) = w[bn..(b + 1)n − 1] is the b-th
length n block of bits of w.
Beyond the standard bounded arithmetic formula
classes, we next define a class which has appeared in
the literature under several different names:
Definition 1 The class Θb2 is the closure of Σb1 under
Boolean connectives and sharply-bounded quantification.
z ):
mPHP (R)m
n (~
n < m ∧ ∀x < m∃y < nR(x, y, ~z) ⊃
∃x1 , x2 < m∃y < n
x1 6= x2 ∧ R(x1 , y, ~z) ∧ R(x2 , y, ~z)
sPHP (R)m
z ):
n (~
n < m ∧ ∀x < n∃!y < mR(x, y, ~z) ⊃
∃y < m∀x < n¬R(x, y, ~z)
where R is some predicate. While these principles are
often called the functional, onto, and basic principles
respectively, we will refer to them as the injective,
multifunction, and surjective principles, as we feel
these names better capture the nature of the mapping at hand. For any of these variants, the notation
PHP (R)m
n will be used when there are no parameter variables or when the parameter variables are
clear. The notation PHP (C)m
n will be used for the
class of formulas PHP (R)m
n where R ∈ C. The no2
tation WPHP (C) will be used for PHP (C)nn . When
m
we refer to the scheme vWPHP (R)n for v = s, i, or
m, we mean all instances of the corresponding sentence in which terms are substituted for m and n.
When C = FP , we understand the parameter list to
have length 0, R to be a function symbol f ∈ FP ,
and R(x, y) to be f (x) = y. We now make a few
observations about the relations between the various
principles.
Proposition 1 BASIC proves the following equivalences:
0
m
(a) mPHP (R)m
n is equivalent to mPHP (R)n where
0
m
mPHP (R)n is
∀x1 , x2 < m∀y < n(R(x1 , y) ∧ R(x2 , y) ⊃ x1 = x2 ) ⊃
¬(n < m) ∨ ∃x < m∀y < n¬R(x, y) .
(b) sPHP (R)m
n is equivalent to
∀y < n∃x < mR(x, y) ⊃ mPHP 0 (R)m
n.
(c) iPHP (R)m
n is equivalent to
∀x < m∀y1 < n∀y2 < n
R(x, y1 ) ∧ R(x, y2 ) ⊃ y1 = y2 ⊃ mPHP (R)m
n.
Proof.
This argument will also hold if we had
written parameter variables. The statement (a) follows because mPHP 0 (R)m
n is just the contrapositive
of mPHP (R)m
n . (b) follows because the condition
∀y < n∃x < mR(x, y) says R is a total multifunction
from y < n to x < m and the premise of mPHP 0 (R)m
n
guarantees this multifunction is a function. Finally,
(c) follows since the condition
∀x < m∀y1 < n∀y2 < n(R(x, y1 ) ∧ R(x, y2 ) ⊃ y1 = y2 )
says R is a partial function from x < m to y < n and
the premise of mPHP (R)m
n guarantees this function
is total. Corollary 2 BASIC proves mPHP (R)m
implies
n
m
both sPHP (R)m
n and iPHP (R)n .
Proposition 3 For each pigeonhole variant v =
m, s, i, the theories T21 (R) and S22 (R) prove that
2
vPHP nn (R) ⊃ vPHP 2n
n (R),
Proof.
(Sketch) The T21 (R) results follows from
2
the S2 (R) results since the formulas in question are
boolean combinations of Σb2 -formulas and S22 (R) is
conservative over T21 (R) for such formulas. The basic
idea of the proof for S22 (R) is to show ¬vPHP n2n (R) ⊃
2
¬vPHP nn (R). To do this in each case one iterates |n|
times the 2n into n function or multifunction (or n
2
onto 2n function) violating vPHP nn (R). It is unknown whether mPHP (Σb1 )m
n is equiv1
over
S
for
v
= s or
alent to vPHP (Σb1 )m
n
2
i.
Paris et al. (1988) showed that S2 `
mWPHP (∆0 ), where ∆0 is the class of bounded formulas. Krajı́ček (1995) has sharpened this to:
Lemma 4 T22 (R) ` mWPHP (R). Hence, T22 `
mWPHP (PV ) and in particular T22 ` sWPHP (PV ).
4
Surjective pigeonhole principle and blockrecognition
Jeřábek (2004) shows in that over S21 , the surjective
weak pigeonhole principle is equivalent to the claim
that there is a string hard string of length 2nk for
circuits of size nk . The following can be shown to be
equivalent to Jeřábek’s result; the main difference is
the notation, which here corresponds to the notation
we will use for our later results:
Theorem 5 (Jeřábek 2004, Lemma 3.2, Proposition 3.5) Let n = |z|. Over S21 , the scheme
2
sWPHP (FP )nn is equivalent to the scheme
k
k
∃S < 22n ∀C < 2n ∃i < 2nk
Circuit(C, 2nk ) ⊃ Output(C, i) 6= Bit(i, S)
for k = 0, 1, . . ..
We begin by giving modified versions of Jeřábek’s
results for relational versions of the surjective weak
pigeonhole principle. To simplify the notation a bit
in this section, we often abuse notation and write C(i)
to denote Output(C, i).
Definition 3 Let C be a circuit on |dm/ne|+n input
variables. We say that C n-block-recognizes S < 2m
for all i < dm/ne and s < 2n , C(i, s) is true iff s =
β̂(i, n, S).
The predicate Fits(C, S, m, n) says that C(·, ·) has
the right shape for n-block-recognizing S < 2m :
Circuit(C, |dm/ne| + n) ∧ S < 2m .
Let BlockRec(C, S, m, n) be the formula that says
C n-block-recognizes S < 2m :
Fits(C, S, m, n) ∧
∀i < dm/ne ∃!s < 2n C(i, s) ∧ C(i, β̂(i, n, S)) .
Proposition 6 Let n = |z|.
For each k >
k
0, S21 + sWPHP (Θb2 ) proves ∃S < 22n ∀C <
k
2n ¬BlockRec(C, S, 2nk , n).
Proof. Reason in S21 . Existence of S in
h
k
k
∀C < 2n ∃!S < 22n
Fits(C, S, 2nk , n) ∧
∀i < 2nk−1 (∃!s < 2n C(i, s) ∧ C(i, β̂(i, n, S))) ∨
(¬Fits(C, S, 2nk , n) ∨
i
∃i < 2nk−1 ¬∃!s < 2n C(i, s) ∧ S = 0
k
is provable using PV -REPL as follows: Fix C < 2n .
If C is not of the correct shape, then S will
be 0 and
the result holds. So assume Circuit(C, 2nk−1 + n)
and ∀i < 2nk−1 ∃!s < 2n C(i, s). Using Σb1 -COMP ,
one can show one can define any block of S bit-by-bit.
Then using Σb1 -REPL one can define all the blocks in
a single string. Uniqueness of S follows by proving
length induction first on the bits in two strings in
a block and then by length induction on the blocks.
Since the predicate in brackets is Θb2 , one can apply
k
sWPHP (Θb2 ) to conclude that there is some S < 22n
k
such that for all C < 2n the predicate in brackets
fails. Then in particular, the first disjunct must fail,
which completes the proof of the Theorem. As a corollary to the proof, we have the following
result:
Proposition 7 Let n = |z|.
For each k >
k
0, S21 + sWPHP (FP ) proves ∃S < 22n ∀C <
k
2n ¬BlockRec(C, S, 2nk , |n|).
Proof. The same argument applies, but now we note
that the condition on C is PV because the quantifiers in the uniqueness criterion are sharply bounded,
so sWPHP (PV ) applies. But then this condition defines a PV -function, so only the functional version of
sWPHP is needed. Theorem 8 Let T be the theory obtained from S21 by
adding the axiom
k
k
∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , n)
for each n = |z| and k > 0.
sWPHP (Σb1 ).
Then T proves
0
3. The size of Gi is O(in` +1 ).
Proof.
It suffices to argue in S21 that if there is
b
a Σ1 -relation R(x, y) that is the graph of a surjection f from 2n onto 22n (where without loss of genk
erality n = |z| for some z), then ∀S < 22n ∃C <
k
2n BlockRec(C, S, 2nk , n). Note that assuming the
existence of such a relation R does not allow us to assume there is a function symbol in PV for f , since we
do not have that S21 proves that R is the graph of a
`
function. Say that R has the form ∃z < 2n R0 (x, y, z)
where R0 is PV and let C0 be a circuit on variables x0 , . . . , xn−1 , y0 , . . . , y2n−1 , z0 , . . . , zq (q = n` )
that outputs 1 exactly when R0 (x, y, z) holds (here,
Bit(i, x) = xi , etc.). Furthermore, let `0 be such that
0
C0 has size O(n` ). We will use C0 to construct circuits Gi (u, x, y, w) where u < 2i , x, y < 2n , and w
is a sequence of length i, each of whose elements has
size bounded by 2n + q. Gi is intended to represent a
i
surjection from 2n onto 22 n by repeatedly applying f
to x and taking the left- or right-half of the result according to the bits of u. Our final circuit C will be obtained by fixing i and “hard-coding” w. Specifically,
the predicate computed by Gi is defined as follows:
k
Now suppose that S < 22n and let r = 2nk−1 =
(k − 1) |n| + 1, so that 2r n = 2nk . Then as we
just showed, there are (provably in S21 ) e and w such
that Gr (·, e, ·, w) n-block-recognizes S. Let Cr (i, s) =
Gr (i, e, s, w). The size of Cr is ≤ c((k − 1) |n| +
0
0
1)n` +1 ≤ c0 kn` +2 for some c and c0 . Furthermore,
any circuit of size m can be given a code of size
≤ 2m(|m|+1). Thus,
if we
take k large enough so thatk
`0 +2 k
0
`0 +2 0
n ≥ 2c kn
(c kn
+1), then C(k−1)|n|+1 < 2n
is a circuit that n-block recognizes S. Since S was
chosen arbitrarily, this completes the proof. Combining Proposition 6 with Theorems 5 and 8,
we have the following inclusions of theories, where
the block-recognition axiom schemes range over all
n = |z| and k > 0:
S21 + sWPHP (Θb2 ) ⊇
k
S21 + sWPHP (Σb1 ) ⊇ S21 + sWPHP (PV ) ⊇
S21 + sWPHP (F P ) ≡
G0 (u, x, y, w) :=(u = 0) ∧ (x = y)
k
k
k
k
S21 + ∃S < 22n ∀C < 2n ¬Compute(C, S, 2nk ) ⊇
Gi+1 (u, x, y, w) :=u < 2i+1 ∧
Gi (DMSB(u),
cond(MSB(u), w[n..2n − 1],
w[0..n − 1]),
y, MSP(w, 2n + q)) ∧
C0 (x, w[0..2n − 1],
w[2n..2n + q − 1]).
S21 + ∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , 1)
where Compute(C, S, m) holds if C is a circuit on |m|
variables, |S| = m, and for all i < m, Output(C, i) =
Bit(i, S). The last inclusion follows directly from the
fact that a 1-block recognizer for S can be converted
into a circuit that computes S by fixing the value
of the “guess” for the length-1 block to 1. Equivalence between computing S and 1-block recognizing S is slightly more complex, as converting a circuit
that computes S into one that 1-block recognizes S
in the obvious way increases the circuit (code) size
by O(|n|). To state an equivalence, we would thus
change the circuit code size in the Compute theory to
be nk + O(|n|).
Taking the contrapositive, we have the following
curious corollary:
where DMSB(u) = LSP(a, |a| − 1) is a with its
most significant bit deleted, MSB(a) = MSP(a, 1)
is the most significant bit of a, and cond(b, c, d) is
either c or d as per whether b = 0 or b = 1. Formally, we are defining a function Ḡ(i), where Ḡ(i) is
the code of the circuit computing the predicate Gi ;
Ḡ(i + 1) is defined recursively from the code returned
by Ḡ(i). Thus, when we write Gi (u, x, y, w), we really
mean Output(Ḡ(i), u, x, y, w). Following Jeřábek, if
r = ||z|| for some z and i < r, then Gi (u, x, y, z) is
Σb1 -definable and we can prove
Corollary 9
k
k
S21 + ∀S < 22n ∃C < 2n BlockRec(C, S, 2nk , 1) ⊇
r
1. For any S < 22 n ,
∃e < SqBd (n, 22
k
S21 + ∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , n) ⊇
k
k
S21 + ∀S < 22n ∃C < 2n BlockRec(C, S, 2nk , n).
r−i
)∃w < SqBd (i(2n+q), 22
r−i
)
∀u < 2i ∀v < 2r−i Gi (u, (e)v , β̂(2i v+u, n, S), (w)v ),
(Σb1 -LIND on i ≤ r). Since r = ||z|| and i ≤ r,
this predicate is in fact Σb1 . In particular, taking i = r we have that
∃e < 2n ∃w < 2r(2n+q) ∀u < 2r
Gr (u, e, β̂(u, n, S), w).
where the block-recognition axiom schemes range over
all n = |z| and k > 0.
Note that the “obvious” approach to proving this
fails. One can construct an n-block-recognizer by
combining many copies of a 1-block-recognizer, each
of size nk ; however, the resulting circuit (code) will
possibly have size greater than nk .
We conclude this section with a variant of
sWPHP . Let sWPHP (D, R)m
n be the following principle:
(n < m ∧ ∀x < n(D(x) ⊃ ∃!y < mR(x, y))) ⊃
∃y < m∀x < n(D(x) ⊃ ¬R(x, y)).
2.
∀i∀u < 2i+1 ∀e < 2n
∀y, y 0 < 22n ∀w, w0 < 2i(2n+q) [
(Gi (u, e, y, w) ∧ Gi (u, e, y 0 , w0 )) ⊃ y = y 0 ].
(Πb1 -LIND on i).
In other words, R cannot be the graph of a surjective function from D (a subset of {0, . . . , n})
onto {0, . . . , m}. sWPHP (D, C) is the set of prin2
ciples sWPHP (D, R)nn for D ∈ D and R ∈ C. This
bears some similarity to Thapen’s alternative version
of a multifunction pigeonhole principle which states
that a function cannot be a surjection from a subset
of n onto m (Thapen 2002, Definition 3.1(4)). There,
however, the complexity of the domain is left unspecified, and it is not certain what the exact relationship
between the two principles is. The proof of the following is similar to that of Proposition 6:
Proposition 10 Let n = |z|. For each k > 0, S21 +
sWPHP (Θb2 , PV ) proves
k
m
∀j ≤ |h(~z)| Iter (R, B, E, j, ~z, s, ||t|| ) ⇔
m
Iter (R∗ , B ∗ , E ∗ , ~z, s(|h| + 1), ||t|| ).
O(1)
In other words, ITER(PV , {||id||
}) is closed
under sharply bounded universal quantification.
k
∃S < 22n ∀C < 2n ¬BlockRec(C, S, 2nk , n).
5
R∗ (i, u, v, ~z) ∈ PV and terms B ∗ (~z) and E ∗ (~z)
such that R22 proves
mWPHP and Iteration
The next definition will be used to state circuit principles connected with mWPHP .
Definition 4 Given a class C of formulas and a set τ
of terms, ITER(C, τ ) consists of formulas of the form
Iter (R, B, E, z1 , . . . , zn , s, t) :=
∃w ≤ SqBd (s, 2min(t+1,|r|) )Comp(R, B, E, w, ~z, s, t)
where R(i, u, v, ~z) ∈ C, r, B(~z) and E(~z) are terms,
and Comp(R, B, E, w, ~z, s, t) is
Seq(w) ∧ Len(w) = t + 2 ∧
∀i ≤ t β(i, w) ≤ s ∧ R(i, β(i, w), β(i + 1, w), ~z) ∧
∀v ≤ s(R(i, β(i, w), v, ~z) ⊃ v = β(i + 1, w)) ∧
β(0, w) = B(~z) ∧ β(t + 1, w) = E(~z).
It is permissible that R not depend on all of the variables ~z; when this is a case for a specific R (such as
Out, in Definition 5), we will omit mention of the
unused variables. Formally we should declare the parameters upon which R depends and rewrite Comp
to list only those parameters, but we will instead informally refer to R “depending” on zi or not (and
similarly for B and E).
The predicate Iter is related to a predicate in
Krajı́ček (2004) which was studied in the context of
propositional proof complexity. Where it is clear that
a suitable r can be found so that t + 1 < |r| then, we
will sometimes just write 2t+1 for 2min(t+1,|r|) . The
latter form is introduced only because the exponential
function is not necessarily total in bounded arithmetic
theories. The intuition behind Iter(R, B, E, ~z, s, t) is
that it verifies that there is a (t + 1)-stepped computation from initial value B(~z) to final value E(~z)
each step of which follows uniquely from the previous
according to R. The values at each step are bounded
by s. It should be observed that if s is of polynomial length then the ability to verify in p-time that a
string for the (i+1)-st step follows from a string for ith step does not entail that there is a p-time function
computing the (i + 1)-st step from the i-th step.
Write {||id||O(1) } for the set of terms of the form
||t||m for some term t and some fixed number m in the
language. The following lemmas establish the basic
properties of ITER(C, τ ).
Lemma 11
1. The theory S21 proves that ITER(PV , {||id||O(1) })
contains the PV predicates.
2. For R(i, u, v, j, ~z) ∈ PV , any terms B(j, ~z)
and E(j, ~z), and any term h(~z), there is
Proof. (1) Suppose R(~z) is a PV predicate. Consider
the predicate R∗ (i, a, b, ~z) defined as
(i = i ∧ a = 0 ∧ b = 0 ∧ R(~z)).
Then Iter (R∗ , 0, 0, ~z, 1, ||t||m ) will compute the same
predicate as R(~z) (regardless of t).
(2) The left-hand-side says that for each j ≤ |h|, R
m
“maps” B(j, ~z) to E(j, ~z) in ||t|| steps. R∗ will map
the sequence hB(0, ~z), . . . , B(|h| , ~z)i to the sequence
hE(0, ~z), . . . , E(|h| , ~z)i in the same number of steps.
By Σb2 -REP L the left-hand-side is equivalent to
∃w ≤ SqBd (SqBd (s, 2||t||
m
+1
), 2|h|+1 )∀j ≤ |h|
m
Comp(R, B, E, β(j, w), j, ~z, s, ||t|| ).
Let R∗ (i, u, v, ~z) be the predicate
u ≤ SqBd (s, 2|h| ) ∧ v ≤ SqBd (s, 2|h| ) ∧
Seq(u) ∧ Seq(v) ∧
∀j ≤ |h| (R(i, β(j, u), β(u, v), j, ~z).
Let B ∗ = hB(0, ~z), . . . , B(|h| , ~z)i and E ∗ =
hE(0, ~z), . . . , E(|h| , ~z)i. Then the sequence W defined
by β(i, W ) = hβ(0, β(i, w)), . . . , β(|h| , β(i, w))i is a
witness to the right-hand-side; since W is computable
in polynomial-time from w, it is definable in R22 ⊇ S21 .
Lemma 12 R22 proves U niq(||t||m ) for fixed m where
U niq(a) is the formula
Comp(R, B, E1 , w1 , ~z, s, a) ∧
Comp(R, B, E2 , w2 , z~0 , s, a) ⊃ w1 = w2 ∧ E1 = E2
where zi0 = zi if R or B depends on zi .
Proof. First, note that Comp is equivalent to a Πb1
formula so U niq(|x|) will be equivalent to a Σb1 formula. Also, given the definition of Comp uniqueness
of w in Comp(R, B, E, w, ~z, s, a) guarantees uniqueness of E. Let Comp 0 (R, B, w, ~z, s, a) be the same
predicate as Comp except where the last conjunct
checking that the final value of the sequence is E has
been discarded. Let U niq 0 (a) be
∀w1 , w2 ≤ SqBd(s, 2a )
Comp 0 (R, B, w1 , ~z, s, a) ∧ Comp 0 (R, B, w2 , ~z, s, a) ⊃
w1 = w2 .
Given our discussion this will be a Πb2 -formula and
U niq 0 (a) ⊃ U niq(a), so it suffices to prove U niq 0 (|x|)
to complete the proof. The theory S21 proves U niq 0 (0)
since any sequence satisfying the Comp 0 expression
will in this case consist of only two elements, the first
elements must be x and the third conjunct in the definition of Comp 0 forces the uniqueness of the second
block. This third conjunct in the definition of Comp 0
can also be used to show U niq 0 (a) ⊃ U niq 0 (Sa); the
relevant fact is that
k
are S1 6= S2 < 22n , C < 2n
1. Let Out(i, u, v, b, C) be the predicate that is true
when C is a circuit on |i| + |u| + |v| + |b| variables
and C(i, u, v, b) is true.
2. Let IterBlockRec(C, S, c, x, t) be
∀b < nk−1
, c < 22n such that
j
+1
)
CompOutput(w, S, C, c, b, x, ||t||j )
Comp 0 (R, B, F RON T (w), ~z, s, a).
Definition 5
−2n
∀b < nk−1 ∃w ≤ SqBd(22n , 2||t||
Comp 0 (R, B, w, ~z, s, Sa) ⊃
Here F RON T (w) is the p-time function that returns
all but the last element of w. The point is U niq 0 (a)
guarantees the uniqueness of F RON T (w) since it has
size less than SqBd(s, 2a ), and the third conjunct will
guarantee the uniqueness of the element that is added
to F RON T (w) to obtain w. Hence, w will also be
unique. Thus using Πb2 -LLIND and standard speedup of induction techniques (Pollett 1999), the theory
R22 proves U niq 0 (||x||m ) and hence U niq(||x||m ). k
for i = 1, 2.
Fix any b < nk−1 .
By
Lemma 12, there is a unique pair (w, v) such that
j
Comp(Out, c, v, w, b, C, c, Si , 2|c| , ||t|| ) for i = 1, 2
(note that Out does not depend on S), and so we conclude that for each b < nk−1 we have β̂(b, 2n, S1 ) =
β̂(b, 2n, S2 ). In other words, the b-th blocks of S1
and S2 are equal. Since b was chosen arbitrarily, all
blocks of S1 and S2 are the same. By induction on
the number of blocks, one shows that this implies that
S1 = S2 , a contradiction. Theorem 14 Let n = |x|. Let T be the theory R22
extended by the axioms
k
∃S < 22n ∀C < 2n
k
−2n
∀c < 22n
¬IterBlockRec(S, C, c, x, ||t||j )
Iter (Out, c, β̂(b, 2 |x| , S), b, C, c, S, 2|c| , t) .
By Lemma 11, this is an iteration predicate.
Note that Out depends only on the parameters b
and C.
3. Let CompOutput(w, C, S, c, b, x, t) be
Comp(Out, c, β̂(b, 2 |x| , S), w, b, C, c, S, 2|c| , t)
for each k > 1, ||t||j in {||id||O(1) }.
Then
(a) T
proves mWPHP (PV ) and (b) T
proves mWPHP (ITER(PV , {||id||O(1) })).
Proof. (a) Assume that R(x, y) is a PV -formula that
is the graph of an injective multifunction from 22n
into 2n . Define AM P 0 (S, c, j, x, w) to be the conjunction of the following statements:
1. S < 22
j+1
n
;
2. w is a sequence of length j + 1;
so that IterBlockRec(C, S, c, x, t) is
3. For 0 ≤ i ≤ j, β(i, w) is a sequence of length 2i ;
∀b < nk−1 ∃w ≤ SqBd(2|c| , 2t+1 )
CompOutput(w, C, S, c, b, x, t) .
Theorem 13 Let
n
=
|x|.
For
k
>
1, ||t||j in {||id||O(1) }, the theory
R22 +mWPHP (ITER(PV , {||id||O(1) })) proves the
principle
k
∃S < 22n ∀C < 2n
k
−2n
∀c < 22n
¬IterBlockRec(C, S, c, x, ||t|| ).
The use of two separate variables C and c is a notational convenience: we could replace them by a single
k
variable C 0 of size 2n and use MSP and LSP to obtain values for these two variables.
Proof. Reason in R22 , and suppose that
k
k
−2n
∃c < 22n
5. For 0 ≤ i < j and 0 ≤ ` < 2i ,
R(β(2`, β(i + 1, w)), MSP(β(`, β(i, w)), n));
6. For 0 ≤ i < j and 0 ≤ ` < 2i ,
R(β(2` + 1, β(i + 1, w)), LSP(β(`, β(i, w)), n));
7. β(0, β(0, w)) = c;
j
∀S < 22n ∃C < 2n
4. For 0 ≤ i ≤ j and 0 ≤ ` < 2i , |β(`, β(i, w))| ≤
2n;
h
∀b < nk−1 ∃w ≤ SqBd(22n , 2||t||
j
+1
)
i
CompOutput(w, C, S, c, b, x, ||t||j ) .
Using Lemma 11, the expression in square brackets
is equivalent in R22 to an ITER(PV , {||id||O(1) }) predicate. So by mWPHP (ITER(PV , {||id||O(1) })) there
8. For 0 ≤ ` < 2j , β(`, β(j, w)) = β̂(`, 2n, S).
In other words, w is a “triangle” that consists of
j + 1 rows, where the i-th row has 2i blocks, and
each block is of length at most 2n; the 0-th row is c
and the (j + 1)-st row is S. The i-th row is formed
by using R to “compress” the blocks of the (i + 1)st row. Let AM P (S, c, j, x) be the predicate ∃w ≤
j
SqBd(SqBd(22n , 22 −1 ), 2j )AM P 0 (S, c, j, x, w). As
usual exponentials are ‘cut-off’, in this case by
a term of the form ||r|| for some r, so AM P
is (equivalent to) a Σb1 formula over BASIC .
By Πb2 -LLIND on j, one can show that ∀S <
j+1
22 n ∃c < 22n AM P (S, c, j, x) and hence conclude
k|n|+1
n
∀S < 22
∃c < 22n AM P (S, c, k |n| , x). For the
j+2
induction step, given S < 22 n , use R to compress
j+1
adjacent length-n blocks in pairs to get S 0 < 22 n
and then apply the induction hypothesis to get c such
that AM P (S 0 , c, j, x). To show AM P (S, c, j, x), take
the sequence (triangle) w0 given by AM P (S 0 , c, j, x)
and add a new row consisting of the length-2n blocks
of S.
k
Now fix S < 22n and take c such that
AM P (S, c, k |n| , x). Let C(i, u, v, b) be the circuit
that computes the predicate
R v, cond Bit((k − 1) |n| − i, b),
MSP(u, n), LSP(u, n) ∧ (i = 0 ⊃ u = c).
Take any b < nk−1 (the number of length-2n blocks
in S). Let w be the sequence (triangle) given by
AM P (S, c, k |n| , x) and define a new sequence v by
β(i, v)) = β(MSP(b, i), β(i, w)). In other words, v
consists of the blocks in w starting at c and traversing the triangle to end at the b-th block of S in the last
row. Then v is a sequence of k |n| starting at c, ending
at β̂(b, 2n, S) and for which C(i, β(i, v), β(i+1, v)) for
each i; this follows from AM P (S, c, k |n| , x). Uniqueness of each step follows from the fact that R is injective. As in the proof of Theorem 8, take k large
k
enough so that we can assume C < 2n −2n ; then by
chasing definitions, we see that we have proved
k
k
∀S < 22n ∃C < 2n −2n ∃c < 22n
IterBlockRec(C, S, c, x, k ||x||),
completing the proof of (a).
We now describe how to modify the proof
of (a) to obtain a proof of (b).
Let Q :=
Iter (R, B, E, x, y, ~z, s, ||t||m ) be a predicate such that
¬mWPHP (Q). We are assuming that the injection
from 22n to 2n is on the variables x and y which
are among the parameter variables of R, B, and E.
We use the R in this Q to create a modified version
of AM P , essentially where we have inserted between
each step in the old AMP the iterations need to compute Q . Let clen := ||t||m + 3. The new version of
AM P 0 asserts:
1. S < 22
j+1
n
;
2. w is a sequence of length j · clen + 1;
3. For 0 ≤ i ≤ j, let i0 := i · clen; then β(i0 , w)
is a sequence of length 2i and for 0 ≤ ` < 2i ,
|β(`, β(i0 , w))| ≤ 2n.
4. For 0 ≤ i ≤ j, and i · clen < i0 < (i + 1) · clen,
β(i0 , w) is a sequence of length 2i+1 , and for 0 ≤
` < 2i+1 , |β(`, β(i0 , w))| ≤ s, and R(i0 , β(`, β(i0 +
1, w)), β(`, β(i0 , w)));
5. For 0 < i < j and 0 ≤ ` < 2i , let xi,2` :=
β(2`, β((i + 1) · clen, w)), Lyi,` := MSP(β(`, β(i ·
clen, w)), n), bi,2` := β(2`, β((i+1)·clen−1, w)),
and ei,2` := β(2`, β(i · clen + 1, w)). Then
bi,2` = Lyi,` ∗ B(xi,2` , Lyi,` , ~z) and ei,2` = Lyi,` ∗
E(xi,2` , Lyi,` , ~z). Here, ∗ denotes concatenation;
we need this extra data when we construct the
circuit that iteratively block-recognizes S.
6. For 0 ≤ i < j and 0 ≤ ` < 2i , let
xi,2`+1 := β(2` + 1, β((i + 1) · clen, w)), Ryi,` :=
LSP(β(`, β(i · clen, w)), n), bi,2`+1 := β(2` +
1, β((i + 1) · clen − 1, w)), and ei,2`+1 :=
β(2` + 1, β(i · clen + 1, w)). Then bi,2`+1 =
Ryi,` ∗ B(xi,2`+1 , Ryi,` , ~z) and ei,2`+1 = Ryi,` ∗
E(xi,2`+1 , Ryi,` , ~z);
7. β(0, β(0, w)) = c;
8. For 0 ≤ ` < 2j , β(`, β(j · clen, w)) = β̂(`, 2n, S).
So this formula asserts that w is a “triangle of grids”
that consists of mj + 1 grids. The i-th grid has 2i
columns and ||t|| + 3 rows. The last row of each grid
corresponds to to a row of the triangle from the PV
case. The immediately prior row consists of blocks of
the form B(x, y), where x < 22n is the value in same
column and next row and y < 2n is the value x is
mapped to by Q. Then within a column, one traverses
row-by-row by applying R. The new formula AM P is
defined from this AM P 0 as before with a larger (but
still polynomial bound) for w. Given that the universals above will be sharply bounded in R22 , this AM P
is still equivalent to a Σb1 -formula. So one can prove
j+1
∀S < 22 n ∃c < 2n AM P (S, c, j, ·||t||m , x) by induck
tion on j in R22 and hence conclude ∀S < 2n ∃c <
m
2n AM P (S, c, k ||x|| · ||t|| , x). The induction step is
handled by using the fact that since ¬mWPHP (Q),
there is some unique sequence that makes Q an an
j+2
injective map from 22n into 2n . So given S < 22 n ,
apply Q to the length-2n blocks of S to obtain lengthj+1
n blocks, and concatenate these to get S 0 < 22 n .
Apply the induction
hypothesis to find c such that
m
AM P (S 0 , c, j ||t|| , x). Let w0 be the sequence such
m
that AM P 0 (S 0 , c, j ||t|| , x, w0 ) and now append the
clen-row by 2j+1 -column “grid” that has the length2n blocks of S as the last row, and the the computation sequence of R in each column.
k
Now given S < 22n we need a circuit C(i, u, v, b)
that recognizes a path through this “triangle of grids”
that starts at c and ends at β̂(b, 2n, S). When i =
i0 · clen, we are transitioning from the last row of a
grid (corresponding to the rows of the triangle from
the PV case); the circuit verifies that LSP(v, n) =
B(u, MSP(v, |v| − n)). This is why we need to keep
extra copies of the Ly’s and Ry’s in all the cells of
the grid; without them, we could not perform this
verification “locally.” When i = i0 · clen + 1, we are
transitioning from one grid to the next. The circuit
just verifies that left- or right-half of v is MSP(u, n)
according to the ((k − 1) |n| − i0 )-th bit of b. Finally, if i = i0 · clen + i00 with i00 > 1, we are transitioning according to R, so the circuit verifies that
R(i00 , LSP(v, n), LSP(u, n)). It would be interesting to know if mWPHP (PV )
implies mWPHP (ITER(P V, {||id||O(1) })) over some
non-trivial theory. To show this would seem to involve
showing that from an iterated relation PV defining a
injective multifunction from n2 to n, one could somehow do away with the iteration and find a PV relation defining a injective multifunction from n2 to n
relation. It is not clear how this could be done.
6
Iteration and RSA
In this section, the provability of
k
∃S < 22n ∀C < 2n
k
−2n
∀c < 22n
¬IterBlockRec(C, S, c, x, k)
in R32 and R33 is connected to the security of RSA. To
state our results, we define the class qP LS and recall
the definition of RSA.
The class PLS for polynomial search was defined by
Johnson, Papadimitriou, and Yannakakis (1988) and
was shown to contain several interesting optimization
problems. Buss and Krajı́ček (1994) showed that the
Σb1 provably total multifunctions of T21 can be characterized as the composition of a projection function
with a PLS multifunction. By a quasi-polynomial,
k
we mean a function of the form 2(log n) for some k.
A natural generalization of PLS to quasi-polynomial
time can be defined as follows:
Definition 6 A qPLS problem consists of a quasipolynomial time cost function c, a quasi-polynomial
time neighborhood function N , and a quasipolynomially bounded set of quasi-polynomial time solutions, defined by a predicate F . For an input x, the
set {s : F (x, s)} is the set of feasible solutions, the
mapping s 7→ c(x, s) assigns a cost to each solution,
and the mapping s 7→ N (x, s) maps solutions to solutions. The multifunction f defined by the qPLS problem is given by the relation f (x) = y iff F (x, y) and
c(x, N (x, y)) < c(x, y).
Define x#3 y as 2|x|#|y| . Let R3i , S3i , and T3i be
the theories obtained from R2i ,S2i , and T2i by adding
this symbol and its defining axiom. A straightforward generalization of Buss & Krajı́ček (1994) shows
that the Σb1 provably total multifunctions of T31 can be
characterized as the composition of a projection function with a qPLS multifunction (see Pollett (1997) for
results of this type). A straightforward generalization
of Buss (1986) shows that the Σb1 -definable functions
of S31 are the quasi-polynomial time functions.
Recall what an instance of RSA is:
the following: (a) for R32 , there is a quasi-polynomial
time function g which when given inputs c, a such that
∀x < a2 f (x, c) < a outputs x1 < x2 < a2 such that
f (x1 , c) = f (x2 , c). (b) for R33 , g can be computed as
a a projection of a qPLS problem. By Krajı́ček and
Pudlák (1998) there is polynomial time algorithm using g as an oracle which solves RSA. References
Ajtai, M. (1994), ‘The complexity of the pigeonhole
principle’, Combinatorica 14(4), 417–433.
Beame, P., Impagliazzo, R., Krajı́ček, J., Pitassi,
T., Pudlák, P. & Woods, A. (1992), Exponential lower bounds for the pigeonhole principle, in
‘Proceedings of the 24th Annual ACM Syposium
on the Theory of Computing (Victoria, 1992)’,
ACM Press, New York, pp. 200–221.
Buss, S. R. (1986), Bounded Arithmetic, Bibliopolis,
Naples.
Buss, S. R. (1990), Axiomatizations and conservation results for fragments of bounded arithmetic, in ‘Logic and Computation (Pittsburgh,
PA, 1987)’, Vol. 106 of Contemp. Math., Amer.
Math. Soc., Providence, RI, pp. 57–84.
Buss, S. R. (1997), ‘Bounded arithmetic, complexity,
and cryptography’, Theoria 63, 147–167.
Definition 7 An instance of RSA consists of a modulus n = pq for two large primes p and q, exponents e
and d which are mutual inverse modulo (p − 1)(q − 1),
a message m < n, and a ciphertext c < n such that
c ≡ me mod n and m ≡ cd mod n. The RSA instance
is solved (hence, vulnerable) if given n, e, and c, one
can compute m.
Buss, S. R. & Hay, L. (1991), ‘On truth-table
reducibility to SAT’, Inform. and Comput.
91(1), 86–102.
We are now ready to present the main result of
this section.
Buss, S. R., Krajı́ček, J. & Takeuti, G. (1993), Provably total functions in bounded arithmetic theories Ri3 , Ui2 and V2i , in ‘Arithmetic, Proof Theory, and Computational Complexity (Prague,
1991)’, Vol. 23 of Oxford Logic Guides, Oxford
Univ. Press, New York, pp. 116–161.
Theorem 15 Let n = |x|.
(a) If for any
k
k
k, R32 proves ∃S < 22n ∀C < 2n −2n ∀c <
22n ¬IterBlockRec(S, C, c, x, k) then RSA is vulnerable to quasi-polynomial time based attacks. (b) If
k
k
for any k, R33 proves ∃S < 22n ∀C < 2n −2n ∀c <
22n ¬IterBlockRec(S, C, c, x, k) then RSA is vulnerable to polynomial time in qPLS based attacks.
Proof. Both (a) and (b) are proved essentially the
same way. By Buss, Krajı́ček, and Takeuti (1993)
it is known that R33 is Σb3 conservative over S22 , and
by Buss (1990), S32 is Σb2 -conservative over T31 . Similarly, by Buss, Krajı́ček, and Takeuti (1993), R32
is Σb2 -conservative over S31 . Let T be either R32 or
k
k
R33 . Then if T proves ∃S < 22n ∀C < 2n −2n ∀c <
2n
2 ¬IterBlockRec(S, C, c, x, k), then by Theorem 14,
T proves mWPHP (PV ) so by Proposition 1, it also
proves iWPHP (PV ) and thus iWPHP (FP ). The latter consists of formulas of the form:
∃x < n2 f (x, c) ≥ n ∨
2
∃x1 , x2 < n (x1 6= x2 ∧ f (x1 , c) = f (x2 , c))
which are Σb1 -formulas. Hence, by the previously
mentioned conservation results, one has in the case
of R32 that S31 proves iWPHP (FP ) and in the case
of R33 that T31 proves iWPHP (FP ). Using the witnessing arguments used to show the characterizations
of Σb1 -definability in these latter theories one can say
Buss, S. R. & Krajı́ček, J. (1994), ‘An application
of Boolean complexity to separation problems in
bounded arithmetic’, Proc. London Math. Soc.
(3) 69(1), 1–21.
Ferreira, F. (1995), ‘What are the ∀Σb1 -consequences
of T12 and T22 ?’, Ann. Pure Appl. Logic 75(12), 79–88. Proof theory, provability logic, and
computation (Berne, 1994).
Hanika, J. (2004), Search Problems and Bounded
Arithmetic, PhD thesis, Charles University.
Jeřábek, E. (2004), ‘Dual weak pigeonhole principle,
Boolean complexity, and derandomization’, Ann.
Pure Appl. Logic 129(1–3), 1–37.
URL: doi:10.1016/j.apal.2003.12.003
Johnson, D. S., Papadimitriou, C. H. & Yannakakis,
M. (1988), ‘How easy is local search?’, J. Comput. System Sci. 37(1), 79–100. 26th IEEE
Conference on Foundations of Computer Science
(Portland, OR, 1985).
Kannan, R. (1982), ‘Circuit-size lower bounds and
nonreducibility to sparse sets’, Inform. and Control 55(1-3), 40–56.
Krajı́ček, J. (1995), Bounded Arithmetic, Propositional Logic, and Complexity Theory, Vol. 60
of Encyclopedia of Mathematics and its Applications, Cambridge University Press, Cambridge.
Krajı́ček, J. (2004), ‘Dual weak pigeonhole principle, pseudo-surjective functions, and provability of curcuit lower bounds’, J. Symbolic Logic
69(1), 265–286.
Krajı́ček, J. & Pudlák, P. (1990), ‘Quantified
propositional calculi and fragments of bounded
arithmetic’, Z. Math. Logik Grundlag. Math.
36(1), 29–46.
Krajı́ček, J. & Pudlák, P. (1998), ‘Some consequences
of cryptographical conjectures for S12 and EF’,
Inform. and Comput. 140(1), 82–94.
Krajı́ček, J., Pudlák, P. & Takeuti, G. (1991),
‘Bounded arithmetic and the polynomial hierarchy’, Ann. Pure Appl. Logic 52(1-2), 143–
153. International Symposium on Mathematical
Logic and its Applications (Nagoya, 1988).
Paris, J. B., Wilkie, A. J. & Woods, A. R. (1988),
‘Provability of the pigeonhole principle and the
existence of infinitely many primes’, J. Symbolic
Logic 53(4), 1235–1244.
Paris, J. & Wilkie, A. (1985), Counting problems
in bounded arithmetic, in ‘Methods in Mathematical Logic (Caracas, 1983)’, Vol. 1130 of
Lecture Notes in Math., Springer-Verlag, Berlin,
pp. 317–340.
Pollett, C. (1997), Arithmetic Theories with Prenex
Normal Form Induction, PhD thesis, University
of California, San Diego.
Pollett, C. (1999), ‘Structure and definability in general bounded arithmetic theories’, Ann. Pure
Appl. Logic 100(1-3), 189–245.
Razborov, A. A. (1995), Bounded arithmetic and
lower bounds in Boolean complexity, in ‘Feasible Mathematics II (Ithaca, NY, 1992)’, Vol. 13
of Progr. Comput. Sci. Appl. Logic, Birkhäuser
Boston, Boston, MA, pp. 344–386.
Thapen, N. (2002), The Weak Pigeonhole Principle
in Models of Bounded Arithmetic, PhD thesis,
Oxford University.